Community Area

Don't add service accounts to the local Administrators group

by
Mitch Tulloch
[Published on 10 April 2012 / Last Updated on 4 Aug. 2011]

Why you should never add service accounts to the local Administrators group on a computer.

An admin recently asked me whether it's a good idea to add local service accounts to the local Administrators group on a server to ensure these service accounts have sufficient privileges to enable the server application to run properly.He was wondering if there could be a security risk if you do this.

The answer is: Don't do this! Before Windows XP and Windows Server 2003, the only built-in service account was the LocalSystem account which has full administrator privileges.In order to reduce the attack surface of services running on the computer, Windows XP and Windows Server 2003 introduced two new built-in service accounts: LocalService and NetworkService.These two accounts have much less privileges than LocalSystem, so if a service using one of these accounts gets compromised, the damage that the attacker can do will be considerably less than if the service had been running under the LocalSystem context.

Bottom line: Service accounts should have the absolute minimum privileges needed in order for the server application to run.Whenever possible, use one of the lower-privileged built-in service accounts: LocalService or NetworkService.If you must create a new service account, don't make it a member of the local Administrators group on the server as this will give your service account too many privileges, potentially increasing the attack surface of your server.

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Preserving server hardware (Part 3)

This article examines some of the causes of and effects from overheating for business server systems, PCs, and laptops... Read More

Building a PowerShell GUI (Part 11)

I have two goals for this article. My primary goal is to modify the code we've created so far so that it displays some basic configuration information for the selected virtual machine. My secondary goal is to show you a couple of new techniques for displaying the script’s output... Read More